Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for detecting a malicious file, comprising: searching an executable file and extracting an import table from the executable file, wherein the import table at least comprises a name of a first dynamic-link library (DLL) and a name of a second DLL; wherein the first DLL comprises a first function which is the last function of the first DLL, and the second DLL comprises a second function which is the first function of the second DLL; wherein the first DLL corresponds to a first address range that ends with an address of the first function, and the second DLL corresponds to a second address range that starts with an address of the second function; calculating a distance between the address of the first function and the address of the second function; determining whether the distance exceeds a threshold; and regarding the executable file as a normal file if the distance does not exceed the threshold.
This invention relates to cybersecurity, specifically detecting malicious files by analyzing their dynamic-link library (DLL) import behavior. The problem addressed is identifying potentially harmful executable files that exhibit suspicious patterns in their DLL imports, which may indicate malware. The method involves examining an executable file to extract its import table, which lists the DLLs and functions the file relies on. The system identifies a first DLL containing a function that is the last function in its address range and a second DLL containing a function that is the first function in its address range. The first DLL's address range ends at the address of its last function, while the second DLL's address range begins at the address of its first function. The system then calculates the distance between the addresses of these two functions. If this distance does not exceed a predefined threshold, the executable file is classified as normal. If the distance exceeds the threshold, it may indicate malicious behavior, though this is not explicitly stated in the claim. This approach leverages the observation that legitimate files typically have predictable and compact DLL import patterns, while malware may exhibit irregular or unusually large gaps between imported functions. The method focuses on the spatial relationship between DLL functions in memory to assess file legitimacy.
2. The method according to claim 1 , wherein if the distance exceeds the threshold, then whether a duplicate content of the import table exists in the executable file is checked, and the executable file is regarded as a malicious file if the duplicate content of the import table exists in the executable file.
This invention relates to malware detection in executable files, specifically focusing on identifying malicious files by analyzing the import table structure. The problem addressed is the difficulty in detecting malware that evades traditional signature-based detection methods by modifying its code while retaining malicious functionality through the import table, which lists external libraries and functions the executable relies on. The method involves comparing the import table of an executable file to a reference or expected structure. If the distance (a measure of dissimilarity) between the import table of the executable and a reference exceeds a predefined threshold, the system further checks for duplicate content within the import table itself. The presence of such duplicate content indicates potential tampering or malicious intent, as legitimate executables typically do not contain redundant entries in their import tables. If duplicates are found, the executable is flagged as malicious. This approach enhances detection by leveraging structural anomalies in the import table, which are often overlooked by conventional analysis techniques. The method improves malware detection accuracy by combining distance-based analysis with duplicate content verification, reducing false negatives and positives.
3. The method according to claim 2 , wherein if the duplicate content of the import table does not exist in the executable file, then the executable file is regarded as the normal file.
This invention relates to a method for detecting tampered or corrupted executable files by analyzing duplicate content within an import table. The import table is a section of an executable file that lists external libraries or functions the file depends on to run. The method compares the duplicate content of the import table against the content of the executable file itself. If the duplicate content does not exist in the executable file, the file is determined to be normal. This indicates that the import table has not been altered or corrupted, as the referenced content should logically appear elsewhere in the file. The method leverages this consistency check to identify tampering or corruption, where discrepancies would suggest malicious modifications or file damage. The approach is particularly useful in security applications, such as malware detection or file integrity verification, where ensuring the authenticity of executable files is critical. By validating the presence of expected content, the method helps distinguish legitimate files from those that have been altered, either intentionally or unintentionally. The technique is part of a broader system for analyzing executable files, where the import table is examined for structural and content-based anomalies.
4. The method according to claim 1 , wherein the import table further comprises a plurality of names of a plurality of first functions of the first DLL, a plurality of addresses of the first functions, a plurality of names of a plurality of second functions of the second DLL and a plurality of addresses of the second functions, and the distance is a difference obtained by subtracting the address of the last of the first functions from the address of the first of the second functions.
This invention relates to dynamic link library (DLL) management in software systems, specifically addressing the challenge of efficiently organizing and accessing function addresses within imported DLLs. The method involves generating an import table that includes detailed information about functions from multiple DLLs, enabling precise address calculations for function calls. The import table contains names and addresses of functions from a first DLL and a second DLL, allowing the system to determine the spatial relationship between these functions. The key innovation is the calculation of a distance metric, which is derived by subtracting the address of the last function in the first DLL from the address of the first function in the second DLL. This distance measurement helps optimize memory allocation and function resolution during runtime, improving performance and reducing errors in function calls. The method ensures that function addresses are accurately mapped, facilitating seamless interoperability between different DLLs in a software application. This approach is particularly useful in environments where multiple DLLs are dynamically loaded, as it provides a structured way to manage function references and maintain consistency in address resolution.
5. The method according to claim 4 , wherein the addresses of the first functions and the addresses of the second functions are relative virtual addresses (RVA).
This invention relates to a system for managing function calls in a computing environment, particularly addressing the challenge of efficiently handling function addresses in virtual memory spaces. The system involves a method for dynamically linking functions in a program, where the program includes a first set of functions and a second set of functions. The method ensures that calls between these functions are resolved correctly, even when the functions are located in different memory regions or modules. The method involves generating a first set of function addresses for the first functions and a second set of function addresses for the second functions. These addresses are relative virtual addresses (RVAs), which are offsets from a base address in the virtual memory space. By using RVAs, the system simplifies address resolution, as the actual memory location of a function can be determined by combining the RVA with the appropriate base address. This approach is particularly useful in modular programming, where functions may be distributed across multiple dynamically linked libraries (DLLs) or other executable modules. The method further includes a step of resolving function calls between the first and second functions using the generated RVAs. This ensures that when a function in one module calls a function in another module, the correct address is used, regardless of where the modules are loaded in memory. The use of RVAs also facilitates relocation of modules without requiring updates to the function addresses, as the relative offsets remain valid. This improves efficiency and reduces the risk of errors in address resolution during program execution.
6. The method according to claim 1 , wherein the threshold relates to an average value and a standard deviation of a plurality of distances among a plurality of normal DLLs.
A method for detecting abnormal dynamic link libraries (DLLs) in a computing system involves analyzing the distances between DLLs to identify deviations from expected behavior. The method calculates distances between multiple DLLs in a system, where these distances represent a measure of similarity or dissimilarity between the DLLs. A threshold is established based on statistical properties of these distances, specifically the average value and standard deviation of the distances among a plurality of normal DLLs. The method then compares the distances of new or unclassified DLLs against this threshold to determine if they deviate significantly from the norm. If a DLL's distance exceeds the threshold, it is flagged as potentially abnormal or malicious. This approach leverages statistical analysis to distinguish between normal and abnormal DLLs, improving the detection of suspicious or compromised files in a system. The method may be used in security applications to enhance threat detection by identifying DLLs that do not conform to expected patterns of behavior.
7. The method according to claim 6 , wherein the threshold is the average value plus two times of the standard deviation.
A method for determining a threshold value in a data processing system involves analyzing a dataset to identify anomalies or outliers. The method first calculates the average (mean) and standard deviation of the dataset. The threshold is then set as the average value plus two times the standard deviation. This statistical approach helps distinguish between normal data points and outliers, which may indicate errors, fraud, or other significant deviations in the dataset. The method can be applied in various fields, such as quality control, financial analysis, or cybersecurity, where identifying anomalies is critical. By using a statistically derived threshold, the method ensures that the detection process is objective and adaptable to different datasets. The technique is particularly useful in automated systems where manual inspection of data is impractical or inefficient. The method may also include preprocessing steps, such as filtering or normalization, to improve the accuracy of the threshold calculation. The threshold can then be used to flag or remove outliers, ensuring that subsequent analysis or decision-making processes are based on reliable data.
8. The method according to claim 1 , wherein the threshold is greater than 300 bytes.
A method for optimizing data transmission in a wireless communication system addresses the problem of inefficient bandwidth usage due to excessive small data packet transmissions. The method involves setting a threshold size for data packets to determine whether to transmit them immediately or buffer them for later transmission. The threshold is dynamically adjusted based on network conditions, such as latency and bandwidth availability, to improve overall transmission efficiency. In this specific implementation, the threshold is set to be greater than 300 bytes, ensuring that only larger data packets are transmitted immediately while smaller packets are buffered and combined with subsequent data to reduce the number of transmissions. This reduces overhead and conserves bandwidth, particularly in networks with limited capacity or high latency. The method may also include monitoring network conditions in real-time to further optimize the threshold value, ensuring adaptability to varying network environments. The system may be applied in various wireless communication protocols, including cellular networks, Wi-Fi, and IoT devices, to enhance data transmission efficiency.
9. A method for detecting a malicious file, comprising: searching an executable file and extracting an import table from the executable file, wherein the import table at least comprises a name of a first DLL and a name of a second DLL; wherein the first DLL comprises a first function which is the last function of the first DLL, and the second DLL comprises a second function which is the first function of the second DLL; wherein the first DLL corresponds to a first address range that ends with an address of the first function, and the second DLL corresponds to a second address range that starts with an address of the second function; calculating a distance between the address of the first function and the address of the second function; checking whether a duplicate content of the import table exists in the executable file; and regarding the executable file as a malicious file if both the duplicate content of the import table exists in the executable file and the distance exceeds a threshold.
This invention relates to detecting malicious files by analyzing their import tables and memory address patterns. The method targets executable files that may contain malicious code by examining their dynamic link library (DLL) imports and function addresses. The process involves extracting the import table from an executable file, which includes the names of at least two DLLs. The first DLL contains a function that is its last function, while the second DLL contains a function that is its first function. The first DLL is associated with an address range ending at the address of its last function, and the second DLL is associated with an address range starting at the address of its first function. The method calculates the distance between the addresses of these two functions. Additionally, it checks whether the import table contains duplicate content within the executable file. If both the duplicate content exists and the calculated distance exceeds a predefined threshold, the executable file is flagged as malicious. This approach helps identify suspicious files by detecting unusual import table patterns and address proximity, which are common indicators of malicious behavior.
10. An electronic device, comprising: a storage unit for storing an executable file; and a processor for searching the executable file and extracting an import table from the executable file, wherein the import table at least comprises a name of a first DLL and a name of a second DLL; wherein the first DLL comprises a first function which is the last function of the first DLL, and the second DLL comprises a second function which is the first function of the second DLL; wherein the first DLL corresponds to a first address range that ends with an address of the first function, and the second DLL corresponds to a second address range that starts with an address of the second function; wherein the processor calculates a distance between the address of the first function and the address of the second function and determines whether the distance exceeds a threshold; and the processor regards the executable file as a normal file if the distance does not exceed the threshold.
This invention relates to detecting malicious executable files by analyzing their import tables and function addresses. The problem addressed is identifying potentially harmful files by examining the spatial relationship between dynamically linked libraries (DLLs) and their functions. The system includes a storage unit holding an executable file and a processor that extracts the import table from the file, which lists at least two DLLs. The first DLL contains a function that is its last function, while the second DLL contains a function that is its first function. The processor maps these DLLs to their respective memory address ranges, where the first DLL's range ends at the address of its last function and the second DLL's range begins at the address of its first function. The processor then calculates the distance between these two function addresses. If this distance is within a predefined threshold, the executable is classified as normal. This approach leverages the observation that malicious files often exhibit abnormal address spacing patterns between critical DLL functions, allowing for detection based on spatial anomalies in the import table. The system provides a method to assess file integrity by analyzing the logical and physical layout of imported functions in memory.
11. The electronic device according to claim 10 , wherein if the distance exceeds the threshold, then the processor checks whether a duplicate content of the import table exists in the executable file, and the processor regards the executable file as a malicious file if the duplicate content of the import table exists in the executable file.
The invention relates to cybersecurity, specifically to detecting malicious executable files by analyzing their import tables. The problem addressed is the challenge of identifying malicious software that may evade traditional detection methods by manipulating or duplicating import tables, which are critical for linking external libraries and functions required by an executable file. The system involves an electronic device with a processor that monitors executable files for potential threats. When an executable file is detected, the processor calculates the distance between the import table and the end of the file. If this distance exceeds a predefined threshold, the processor further checks whether duplicate content of the import table exists elsewhere in the file. If such duplicates are found, the file is flagged as malicious, as this duplication is indicative of obfuscation techniques commonly used by malware to evade detection. The method leverages the observation that legitimate executable files typically have a single, non-duplicated import table located at a predictable distance from the file's end. By detecting anomalies in this structure, the system enhances the ability to identify potentially harmful files that may otherwise bypass conventional security measures. This approach improves the accuracy and reliability of malware detection in computing environments.
12. The electronic device according to claim 11 , wherein if the duplicate content of the import table does not exist in the executable file, then the processor regards the executable file as the normal file.
The invention relates to electronic devices that process executable files, particularly focusing on detecting and handling duplicate content within import tables of such files. The problem addressed is ensuring the integrity and security of executable files by verifying their import tables, which contain references to external libraries or functions required for execution. If an executable file lacks expected duplicate content in its import table, the device classifies it as a normal file, indicating it does not pose a security risk. This approach helps distinguish legitimate files from potentially malicious ones by analyzing the consistency of their import table entries. The device includes a processor that performs this verification, comparing the import table of an executable file against known or expected patterns. If no duplicate content is found where it should be, the file is deemed safe. This method enhances security by reducing false positives in file analysis, ensuring only truly suspicious files are flagged for further scrutiny. The invention is particularly useful in environments where executable files are frequently imported or executed, such as in software development or system administration.
13. The electronic device according to claim 10 , wherein the import table further comprises a plurality of names of a plurality of first functions of the first DLL, a plurality of addresses of the first functions, a plurality of names of a plurality of second functions of the second DLL and a plurality of addresses of the second functions, and the distance is a difference obtained by subtracting the address of the last of the first functions from the address of the first of the second functions.
This invention relates to electronic devices that manage dynamic link libraries (DLLs) in memory. The problem addressed is efficiently organizing and accessing functions from multiple DLLs to optimize performance and reduce memory fragmentation. The solution involves an import table that stores function names and addresses from at least two DLLs, along with a calculated distance between them. The distance is determined by subtracting the address of the last function in the first DLL from the address of the first function in the second DLL. This allows the device to quickly locate and reference functions across different DLLs, improving execution speed and memory management. The import table may also include additional metadata to facilitate function resolution and binding. The system ensures that functions are correctly mapped and accessed, even when DLLs are loaded at different memory locations. This approach enhances compatibility and reliability in software applications that rely on multiple DLLs. The invention is particularly useful in operating systems and applications where dynamic linking is essential for modularity and efficiency.
14. The electronic device according to claim 13 , wherein the addresses of the first functions and the addresses of the second functions are relative virtual addresses (RVA).
This invention relates to electronic devices that manage function calls within a virtual address space. The problem addressed is the inefficiency and complexity of handling function calls in systems where functions are dynamically loaded or relocated, requiring frequent updates to function addresses. The solution involves using relative virtual addresses (RVAs) for both first functions (e.g., primary functions) and second functions (e.g., secondary or helper functions) to simplify address management and improve performance. The electronic device includes a memory storing executable code for the first and second functions, where the addresses of these functions are stored as RVAs. The device also includes a processor configured to execute the functions, resolving the RVAs to physical addresses at runtime. The use of RVAs allows the system to dynamically relocate functions without requiring updates to the function addresses, reducing overhead and improving efficiency. The processor may also include a translation mechanism to convert RVAs to physical addresses, ensuring correct execution even when functions are moved in memory. This approach is particularly useful in systems with dynamic loading, such as operating systems or virtual machines, where function addresses may change frequently. The invention enhances performance by minimizing address resolution overhead and simplifying memory management.
15. The electronic device according to claim 10 , wherein the threshold relates to an average value and a standard deviation of a plurality of distances among a plurality of normal DLLs.
The invention relates to electronic devices with dynamic link libraries (DLLs) and focuses on detecting abnormal DLLs by analyzing their distances from other DLLs. The problem addressed is identifying potentially malicious or corrupted DLLs in a system by comparing their relationships with known normal DLLs. The device includes a processor and memory storing a plurality of normal DLLs, each associated with a feature vector representing its characteristics. The processor calculates distances between feature vectors of the normal DLLs to establish a baseline for normal behavior. A threshold is determined based on the average and standard deviation of these distances. When a new DLL is introduced, the device calculates its distances to the normal DLLs. If the average distance exceeds the threshold, the new DLL is flagged as abnormal. This method helps in detecting DLLs that deviate significantly from expected behavior, indicating potential security risks or errors. The invention improves system security by automating the detection of anomalous DLLs based on statistical analysis of their relationships with known normal DLLs.
16. The electronic device according to claim 15 , wherein the threshold is the average value plus two times of the standard deviation.
The invention relates to electronic devices that monitor and analyze data to detect anomalies or deviations from expected behavior. The problem addressed is the need for an effective and reliable method to determine when a measured value deviates significantly from a baseline, indicating a potential issue or anomaly. Traditional methods may use fixed thresholds or simple statistical measures, which can be inaccurate or fail to adapt to varying conditions. The electronic device includes a processor and a memory storing instructions that, when executed, cause the processor to perform operations. These operations include receiving a set of data values, calculating a statistical measure such as the average and standard deviation of the data, and determining a threshold value. The threshold is defined as the average value plus two times the standard deviation, which provides a statistically significant boundary for identifying outliers. The device then compares new data values against this threshold to detect anomalies. If a value exceeds the threshold, it is flagged as an anomaly, triggering further analysis or corrective action. This approach improves accuracy by dynamically adjusting the threshold based on the data's statistical properties, reducing false positives and negatives. The method is applicable in various fields, including industrial monitoring, healthcare diagnostics, and cybersecurity, where detecting deviations from normal behavior is critical. The invention ensures robust anomaly detection by leveraging statistical principles to define meaningful thresholds.
17. The electronic device according to claim 10 , wherein the threshold is greater than 300 bytes.
The invention relates to electronic devices configured to manage data transmission efficiency, particularly in scenarios where data packets are sent over a network. The problem addressed is the inefficiency in data transmission when small data packets are sent frequently, leading to increased overhead and reduced network performance. The invention provides a solution by implementing a threshold mechanism that controls when data is transmitted based on the size of the accumulated data. The electronic device includes a processor and a memory storing instructions that, when executed, cause the device to monitor the size of data to be transmitted. If the accumulated data exceeds a predefined threshold, the data is transmitted. The threshold is set to be greater than 300 bytes, ensuring that only sufficiently large data packets are sent, thereby reducing the frequency of small transmissions and improving network efficiency. The device may also include a buffer to temporarily store data until the threshold is met, further optimizing transmission timing. This approach minimizes overhead by consolidating multiple small transmissions into fewer, larger transmissions, enhancing overall network performance.
Unknown
March 3, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.